How Hackers Could Use A Nest Thermostat As An Entry Point Into Your Home

Security researcher TrapX Security is showing off how hacking an internet-connected thermostat made by Google-owned Nest can be the jumping off point to gaining control of other devices in your home.

The research is an example of the possible vulnerabilities we're exposing ourselves to as internet begins pervading every object in our lives, including the home. But it's also important to note that there is no evidence that a Nest device has ever been compromised like this out in the wild, according to Nest. In fact, Nest is one of the more secure devices out there for the still small yet growing smart home industry, according to security researchers.

For this hack to happen, the attacker has to first get physical access to the device. That drastically reduces the likelihood of this hack ever taking place in the real world--but TrapX speculates that this scenario might take place if someone buys a used Nest off of Craigslist or eBay.

TrapX is building on research released last year from the University of Central Florida led by engineering professor Yier Jin. The group originally found that they could get control of the Nest's Linux operating system while the device boots up and load custom software onto it--basically jailbreaking the device--by going through the device's USB port. The researchers showed how you could load their custom software onto it that would stop your thermostat data from being sent back to Nest's servers.

“The problem is with the way the hardware is built," said Jin in a phone interview on Thursday. "That's why after we released this hack almost one year ago and there's still no fix yet. Nest can't repair that.”

TrapX is going from the same starting pointing point as Jin's team by going through the USB and loading custom software onto the Nest's ARM7 processor chip made by Texas Instruments. Once in, TrapX can first obtain the password for the WiFi network that the Nest is hooked up to. The attacker also begins receiving information like whether or not you're home. Data stored on the Nest isn't encrypted--while Nest data sent over the air is encrypted.

Then, using an ARP (Address Resolution Protocol) tool that essentially tricks other devices to talk with the compromised Nest, the attacker can begin receiving data coming off other devices connected to the WiFi network. In testing, TrapX was able to go through the compromised thermostat to exploit known software vulnerabilities found in devices like baby monitors and even a PC with an older, unpatched operating system to gain control of them.

“Once we're inside the network, it's quite trivial to escalate,” said Carl Wright, executive vice president and general manager at TrapX. “There's a lot of devices in the home we're able to jump off of and compromise.”

But there are a few limitations to this attack--aside from the fact that the hacker needs physical access to the thermostat to get started. There's no way TrapX's method could in an enterprise environment, because they'll likely have ARP spoofing detection software installed, said Jin. Also, TrapX will not be able to receive usable data from devices using the ARP spoof if the data is sent through an encrypted channel. But there are plenty of new smart home gadgets out there that don't follow very good security protocols--they favor usability and performance over security.

Security issues are big for Nest as the company is positioning itself to become a major platform for the growing smart home ecosystem. Its "Works With Nest" program lets other smart gadget makers to integrate their products with Nest in the cloud. Devices such as lightbulbs or washing machines can sync up with Nest's thermostat or smoke detector.

A Nest spokesperson commented: "All hardware devices--from laptops to smartphones--are susceptible to hacking with physical access. This is sometimes called a jailbreak or rooting--and describes the kind of hack TrapX performed. A jailbreak doesn't compromise the security of our servers or the connections between our devices and our servers. To the best of our knowledge, no Nest device has ever been compromised remotely. That said, we are constantly working to improve the security of our devices and safeguard our customers."

Nest does have some means of telling when a device has been compromised. When a software update is pushed from the company's servers, it can tell if something isn't right with operating system.

It's also worth noting that infecting a computer or smartphone would be a lot more effective means of launching an attack on a home network. But as we continue to introduce more internet-connected devices into our lives, securing these devices will become more of a pressing concern.

“Established Internet of Things devices aren't encrypting data on their devices because it's very intensive,” said Wright. “Up until now, they've chosen not to include strong security because it impacts cost. They don't want to do it.”

Click here for details on how to send me information anonymously. Follow me on Twitter @aatilley or send me an email: atilley@forbes.com